Mobile Banking Changes Fuzzy Within FFIEC’s New Rules

Some may call it a convergence of three game-changing forces that are rewriting financial institution security at warp speed.

Mobile Banking Changes Fuzzy Within FFIEC’s New Rules

First, there is the U.S. government demand that financial institutions – credit unions included – comply with new security guidelines issued by the interagency Federal Financial Institutions Examination Council to take effect in January 2012.

Force two: survey data underlining the reality that a significant percentage of consumers are holding back from mobile banking precisely because of fears of security breaches. Those concerns are backed by new research from security firm ThreatMetrix of Los Altos, Calif., which reported one in five consumers or 21% felt “completely protected” against fraudsters while using mobile banking tools, said ThreatMetrix CEO Reed Taussig.

Force three: it may be paradox but some credit unions around the country nonetheless report buoyant demand, much more than forecast, for mobile banking, which is emerging as the must-have technology of the moment. Add those forces together and by any yardstick, the coming few months may shape up as an interesting time for credit unions and their technology gurus.

As for the buoyant demand, the numbers may prove it. At Columbia Credit Union in Vancouver, Wash., the $769 million institution said it introduced mobile banking three months ago and already, 20% of online banking users have registered to use it. “The adoption was much quicker than we had anticipated,” said Jen Shefner, assistant vice president of e-commerce at Columbia.

The story is similar at the $2.2 billion State Employees Credit Union of Maryland Inc. in Linthicum. Of its 248,000 members, more than 20,000 of them are mobile banking users, said Kristen Heerema, product manager. Demand, particularly following the rollout of a new iPhone app in August, is strong, she added. Karen Haugen, a marketing manager at SECU, said that about 25% of the institution’s online banking users are signed up for mobile banking.

Amid the rush into mobile banking, questions persist about the security of the channel and that is precisely where the FFIEC standards enter, said Mickey Goldwasser, vice president of marketing at Q2eBanking, an Austin, Texas-based developer of mobile banking tools. “The FFIEC guidance surprised no one,” Goldwasser said. “It says the same guidance for online should be applied to mobile. They are telling institutions to be prepared.”

At Fiserv, mobile manager Calvin Grimes added “The new [FFIEC] guidance has gotten a lot of attention. What the government is doing is extending existing security policies into the mobile space. Every institution will interpret this differently. FFIEC is not necessarily prescriptive.”

That last bit is key. Other than putting forth a so-called layered approach, the FFIEC guidelines offer few specifics, said Avivah Litan, vice president at Gartner Inc., an information technology research and advisory company in Stamford, Conn. “This area is starting to heat up. I am getting calls from clients every day about what they should be doing,” said Litan, who agreed that the written FFIEC materials offer sparse details, especially in regards to smaller institutions and what they need to be doing to secure their mobile banking channel. “There are no clear directions from the regulator,” she noted.

An oddity about the FFIEC guidance is that despite what is happening in the marketplace, it is surprisingly mum in regard to offering security guidance specifically targeted at mobile banking. “It is interesting that FFIEC doesn’t talk at all about mobile,” said Laura Mather, founder of security firm Silver Tail Systems in Menlo Park, Calif.

Maybe that vagueness in the FFIEC guidance is why some institutions now report they are in a study mode. “We are putting a plan for FFIEC in place. We are doing a risk assessment,” said Shefner with Columbia. “We are working with vendors, and we are looking at the new recommendations and how they affect all of our channels.”

At SECU, product manager Ron Waters said, “Our compliance strategy is to be within guidelines. We are working with third-party vendors. We always work with a broad team to meet all the compliance points. We take compliance requirements seriously.”

The $400 million Generations Federal Credit Union in San Antonio, Texas is also in evaluation mode regarding the new FFIEC rules. “[We] are in the process of reviewing third-party vendors to come in and conduct an assessment. We don’t anticipate their being too many changes as we do try to keep up on the various technologies,” wrote Ashley Harris, Generations FCU director of public relations, in an emailed statement.

“However, and of course that’s a big however, there is always room for improvement,” Harris said. “When that third party comes back with the assessment, we’ll develop a plan from there to address anything that they come across.” Just what should credit unions focus on in the run up to January?

Brian Abele, vice president of product management at Q2eBanking, shared what that firm is advising its credit union clients. “The FFIEC guidance talks about a layered approach,” Abele said. “We agree. Effective security is about having multiple layers. We emphasize there is no panacea.”

Abele cautioned that the FFIEC is not the end-all when it comes to security and mobile banking. “Complying with the regulatory aspect is critical but the ultimate goal is not having something bad happen to your members.”